docker-node/.github/workflows/docker-scan.yml at main · sitespeedio/docker-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: Docker security scan
on:
  push:
    branches:
      - main
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    if: ${{ !contains(github.event.head_commit.message, 'docs:') }}
    steps:
      - name: Checkout code
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Build an image from Dockerfile
        run: |
          docker buildx install
          docker buildx build --load --platform linux/amd64 -t docker.io/sitespeedio/node:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
        with:
          image-ref: 'docker.io/sitespeedio/node:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL'